diff --git a/doc/EN/backups.org b/doc/EN/backups.org index da17a1b8..b33d43b4 100644 --- a/doc/EN/backups.org +++ b/doc/EN/backups.org @@ -11,12 +11,24 @@ #+BEGIN_CENTER #+ATTR_HTML: :border -1 | [[file:index.html][Home]] | +| [[Backup keys]] | | [[Backup to USB]] | | [[Restore from USB]] | | [[Distributed backups]] | | [[Restore from a friend]] | #+END_CENTER +* Backup keys +As part of the Freedombone installation the GPG key used to encrypt backups will have been added to the /.gnupg/ keyring in your home directory. Ensure that you have a copy of all your keys by plugging in a LUKS encrypted USB drive and then running the command: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +freedombone-keydrive -u [username] --master +#+END_SRC + +Keep this USB drive in some safe place, since it will enable you to restore from previous backups. + +A pro-tip for the best possible security is to create multiple USB drives containing key fragments, and then to distribute them amongst your friends. In the worst case just ask for the drives back and you'll be able to reconstruct the backup key. You can do this by ommitting the /--master/ option in the above command and then repeating the process with a number of different USB drives (typically 4 or more). * Backup to USB First and foremost - *encrypt your USB drives*! Even if you think you have "/nothing to hide/" if you accidentally lose a USB thumb drive (it's easy to lose small objects) and it's not encrypted then potentially someone might be able to obtain enough information about you to commit identity fraud, take out loans, open bank accounts, etc. Use LUKS encryption. In Ubuntu you can do this using the /Disk Utility/ application. Some instructions [[https://help.ubuntu.com/community/EncryptedFilesystemsOnRemovableStorage][can be found here]]. @@ -30,25 +42,36 @@ su backup #+END_SRC -Type in the password for the USB drive, then if this is the first time that you've made a backup then you will be prompted for your GPG key passphrase. +Type in the password for the USB drive, then the backup will begin. When the backup ends remove the USB drive and keep it somewhere safe. Even if it gets lost or falls into the wrong hands the content is encrypted and so is unlikely to become a source of leaks. * Restore from USB +Log into the system and become the root user: + +#+BEGIN_SRC bash +ssh username@domainname -p 2222 +su +#+END_SRC + +If this is a new Freedombone installation then you will first need to restore your backup keys. That can be done as follows: + +#+BEGIN_SRC bash +freedombone-recoverkey -u [username] --master +#+END_SRC + Insert the USB thumb drive containing your backup into the front socket of the Beaglebone Black. Log into the system and become the root user, then run the /restore/ command. #+BEGIN_SRC bash -ssh username@domainname -p 2222 -su restore #+END_SRC -Enter the password for the USB drive, then you will be prompted to enter your GPG key passphrase. When the restore is complete you can remove the USB drive. +Enter the password for the USB drive. When the restore is complete you can remove the USB drive. * Distributed backups Distributed backups are a better way of ensuring the persistence of your data, such that even if your system gets stolen or destroyed then the data will still be recoverable from your friends. Since the backups are encrypted your friends (or anyone else with access to their systems) won't be able to read your backed up content even if their systems are subsequently compromised. -Firstly you will need to have a user account on one or more of your friends servers. They don't necessarily need to be using Freedombone, just some version of GNU/Linux with ssh access. They can create a user account for you with the *adduser * command when logged in as root and then give you the username and password via a secure method, such as on paper or via an encrypted email or via an XMPP chat using OTR. Make sure that the password used is a strong one - preferably a long random string stored in a password manager - so that dictionary attacks will fail. Also for maximum resilience put your password manager file onto a USB thumb drive and carry it with you. +Firstly you will need to have a user account on one or more of your friends servers. They don't necessarily need to be using Freedombone, just some version of GNU/Linux with ssh access. They can create a user account for you with the *adduser * command when logged in as root and then give you the username and password via a secure method, such as on paper or via an encrypted email or via an XMPP chat using OTR. Make sure that the password used is a strong one - preferably a long random string stored in a password manager - so that dictionary attacks not be easy. Also for maximum resilience put your password manager file onto a USB thumb drive and carry it with you. #+BEGIN_SRC bash ssh username@domainname -p 2222 @@ -56,21 +79,6 @@ freedombone-remote #+END_SRC You can then enter the usernames, domains and ssh logins for one or more remote servers. The system will try to backup to these remote locations once per day. - -Very important is to take a copy of the contents of *backup.key*. - -#+BEGIN_SRC bash -su -cat /etc/ssl/private/backup.key -#+END_SRC - -If the backup key doesn't yet exist then you can manually create it with: - -#+BEGIN_SRC bash -freedombone-addcert -h backup -#+END_SRC - -Store it within a password manager on a USB drive which you carry with you. In the worst case scenario you'll be able to restore your system on completely new hardware if you have this key, so long as at least one of your friends servers is accessable via ssh. * Restore from a friend ** With a completely new Freedombone installation This is the ultimate disaster recovery scenario in which you are beginning completely from scratch with new hardware and a new Freedombone installation (configured with the same username and domain names). It is assumed that the old hardware was destroyed, but that you have the backup key stored within a password manager on a USB thumb drive. @@ -84,18 +92,14 @@ freedombone-remote Configure the remote server login details. -Now log in as root and restore the backup key which you have in your password manager. +Now plug in the USB drive containing the backup key and restore it. #+BEGIN_SRC bash su -editor /etc/ssl/private/backup.key +freedombone-recoverkey -u [username] --master #+END_SRC -Paste in the backup key, then save and exit. - -#+BEGIN_SRC bash -chmod 600 /etc/ssl/private/backup.key -#+END_SRC +If you are recovering from multiple USB drives containing key fragments then just ommit the /--master/ option in the above command. Then use the command: diff --git a/website/EN/backups.html b/website/EN/backups.html index 0e68662d..bf6ecc18 100644 --- a/website/EN/backups.html +++ b/website/EN/backups.html @@ -4,7 +4,7 @@ - + @@ -175,28 +175,55 @@ for the JavaScript code in this tag. -Backup to USB +Backup keys -Restore from USB +Backup to USB -Distributed backups +Restore from USB -Restore from a friend +Distributed backups + + + +Restore from a friend
-

Backup to USB

+

Backup keys

+As part of the Freedombone installation the GPG key used to encrypt backups will have been added to the .gnupg keyring in your home directory. Ensure that you have a copy of all your keys by plugging in a LUKS encrypted USB drive and then running the command: +

+ +
+ +
ssh username@domainname -p 2222
+freedombone-keydrive -u [username] --master
+
+
+ +

+Keep this USB drive in some safe place, since it will enable you to restore from previous backups. +

+ +

+A pro-tip for the best possible security is to create multiple USB drives containing key fragments, and then to distribute them amongst your friends. In the worst case just ask for the drives back and you'll be able to reconstruct the backup key. You can do this by ommitting the –master option in the above command and then repeating the process with a number of different USB drives (typically 4 or more). +

+
+
+
+

Backup to USB

+
+

First and foremost - encrypt your USB drives! Even if you think you have "nothing to hide" if you accidentally lose a USB thumb drive (it's easy to lose small objects) and it's not encrypted then potentially someone might be able to obtain enough information about you to commit identity fraud, take out loans, open bank accounts, etc. Use LUKS encryption. In Ubuntu you can do this using the Disk Utility application. Some instructions can be found here.

@@ -217,7 +244,7 @@ backup

-Type in the password for the USB drive, then if this is the first time that you've made a backup then you will be prompted for your GPG key passphrase. +Type in the password for the USB drive, then the backup will begin.

@@ -225,9 +252,30 @@ When the backup ends remove the USB drive and keep it somewhere safe. Even if it

-
-

Restore from USB

-
+
+

Restore from USB

+
+

+Log into the system and become the root user: +

+ +
+ +
ssh username@domainname -p 2222
+su
+
+
+ +

+If this is a new Freedombone installation then you will first need to restore your backup keys. That can be done as follows: +

+ +
+ +
freedombone-recoverkey -u [username] --master
+
+
+

Insert the USB thumb drive containing your backup into the front socket of the Beaglebone Black.

@@ -238,26 +286,24 @@ Log into the system and become the root user, then run the restore comman
-
ssh username@domainname -p 2222
-su
-restore
+
restore

-Enter the password for the USB drive, then you will be prompted to enter your GPG key passphrase. When the restore is complete you can remove the USB drive. +Enter the password for the USB drive. When the restore is complete you can remove the USB drive.

-
-

Distributed backups

-
+
+

Distributed backups

+

Distributed backups are a better way of ensuring the persistence of your data, such that even if your system gets stolen or destroyed then the data will still be recoverable from your friends. Since the backups are encrypted your friends (or anyone else with access to their systems) won't be able to read your backed up content even if their systems are subsequently compromised.

-Firstly you will need to have a user account on one or more of your friends servers. They don't necessarily need to be using Freedombone, just some version of GNU/Linux with ssh access. They can create a user account for you with the adduser <username> command when logged in as root and then give you the username and password via a secure method, such as on paper or via an encrypted email or via an XMPP chat using OTR. Make sure that the password used is a strong one - preferably a long random string stored in a password manager - so that dictionary attacks will fail. Also for maximum resilience put your password manager file onto a USB thumb drive and carry it with you. +Firstly you will need to have a user account on one or more of your friends servers. They don't necessarily need to be using Freedombone, just some version of GNU/Linux with ssh access. They can create a user account for you with the adduser <username> command when logged in as root and then give you the username and password via a secure method, such as on paper or via an encrypted email or via an XMPP chat using OTR. Make sure that the password used is a strong one - preferably a long random string stored in a password manager - so that dictionary attacks not be easy. Also for maximum resilience put your password manager file onto a USB thumb drive and carry it with you.

@@ -270,39 +316,14 @@ freedombone-remote

You can then enter the usernames, domains and ssh logins for one or more remote servers. The system will try to backup to these remote locations once per day.

- -

-Very important is to take a copy of the contents of backup.key. -

- -
- -
su
-cat /etc/ssl/private/backup.key
-
-
- -

-If the backup key doesn't yet exist then you can manually create it with: -

- -
- -
freedombone-addcert -h backup
-
-
- -

-Store it within a password manager on a USB drive which you carry with you. In the worst case scenario you'll be able to restore your system on completely new hardware if you have this key, so long as at least one of your friends servers is accessable via ssh. -

-
-

Restore from a friend

-
-
-

With a completely new Freedombone installation

-
+
+

Restore from a friend

+
+
+

With a completely new Freedombone installation

+

This is the ultimate disaster recovery scenario in which you are beginning completely from scratch with new hardware and a new Freedombone installation (configured with the same username and domain names). It is assumed that the old hardware was destroyed, but that you have the backup key stored within a password manager on a USB thumb drive.

@@ -323,26 +344,20 @@ Configure the remote server login details.

-Now log in as root and restore the backup key which you have in your password manager. +Now plug in the USB drive containing the backup key and restore it. 

su
-editor /etc/ssl/private/backup.key
+freedombone-recoverkey -u [username] --master

-Paste in the backup key, then save and exit. +If you are recovering from multiple USB drives containing key fragments then just ommit the –master option in the above command.

-
- -
chmod 600 /etc/ssl/private/backup.key
-
-
-

Then use the command:

@@ -354,9 +369,9 @@ Then use the command:
-
-

On an existing Freedombone installation

-
+
+

On an existing Freedombone installation

+

This is for more common situations in which maybe some data became corrupted and you want to restore it.